From 35b33adbcaf825f9cf1e015a3c2b04c50fa30d4d Mon Sep 17 00:00:00 2001 From: Peter Van Bouwel Date: Wed, 20 Nov 2024 14:22:06 +0100 Subject: [PATCH] security: avoid logging authorization header even when invalid --- requestutils/amz-credential-value.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requestutils/amz-credential-value.go b/requestutils/amz-credential-value.go index f9eb7a6..8d0e308 100644 --- a/requestutils/amz-credential-value.go +++ b/requestutils/amz-credential-value.go @@ -75,7 +75,7 @@ func getSignatureCredentialStringFromRequestAuthHeader(authorizationHeader strin return "", fmt.Errorf("programming error should use empty authHeader to get credential part") } if !strings.HasPrefix(authorizationHeader, expectedAuthorizationStartWithCredential) { - return "", fmt.Errorf("invalid authorization header: %s", authorizationHeader) + return "", errors.New("invalid authorization header") } authorizationHeaderTrimmed := authorizationHeader[len(expectedAuthorizationStartWithCredential):] return strings.Split(authorizationHeaderTrimmed, ", ")[0], nil